摘要
XSS(Cross-site Scripting)漏洞是Web应用程序最严重的漏洞之一。针对现有动态检测方法在检测效率方面的不足,提出一种高效率的检测方法。在用攻击向量来测试之前,先提交合法向量来测试,排除肯定不存在XSS漏洞的页面以及收集输入点、输出点、输出点类型的信息。在用攻击向量测试的过程中,只需要根据输出点类型来提交相应的攻击向量作进一步测试,避免遍历所有的攻击向量。另外,只需要到对应的输出点页面寻找特定的数据,可以有效避免遍历所有的页面。实验证明,该方法在提高效率方面很有效。
Cross-site scripting( XSS) vulnerability is one the top web application vulnerabilities. In the paper,we analyse the inadequacy of existing dynamic analysis methods in detecting XSS vulnerability and propose a high-efficiency detection method. Before using attack vectors to test,we first submit legal vectors for testing in order to exclude the pages definitely without XSS vulnerabilities and to collect the information about input points,output points and the types of output points. In the process of testing with attack vectors,it just needs to submit the correlated attack vectors according to output point type for further testing,and avoids traversing all the attack vectors. In addition,by looking for the specific data in corresponding page of output points only,it is able to effectively avoid traversing all the pages. Experiment proves that the proposed method is very effective in improving the efficiency of XSS vulnerability detection.
出处
《计算机应用与软件》
CSCD
2015年第8期272-275,共4页
Computer Applications and Software
基金
国家自然科学基金项目(61202478
61303263)
中央高校基本科研业务费项目(2013QNA26)
关键词
XSS漏洞
动态检测
合法向量
攻击向量
XSS vulnerability Dynamic testing Legal vectors Attack vectors
